This document provides an overview of patient confidentiality and the HIPAA Privacy Rule. It discusses instances where hospital employees inappropriately accessed celebrity medical records at UCLA hospital. It also describes what types of personal health information is protected under HIPAA, including names, medical records numbers, and social security numbers. The document outlines requirements for notifying patients and government agencies of any breaches of protected health information. Finally, it discusses the Office of Civil Rights' role in enforcing HIPAA compliance and potential penalties for violations.

1. Staff Training on
Patient
Confidentiality
Shari Nettles
MHA 690 Health Care Capstone
Instructor: Hwangji Lu
April 4, 2019

2. Confidentiality Issues
 UCLA Hospital had 120 workers look at
celebrities’ medical records between
January 2004 and June 2006.
 After a crackdown on this issue, 3 staff
members continued to look at a particular
well-known individual.
 Another report stated that 127 workers
looked at celebrity reports without
permission
 One employee looked at records of 900
patients without a reason, viewing social
security numbers, health insurance
information, and addresses from April 2003
to May 2007

3. HIPAA Privacy Rule
 Issued by the United States Department of Health
and Human Services that restricts the use and
disclosure of person health information (PHI).
 HIPAA requires that a covered entity must make an
effort to use, disclose and request only minimum
necessary amount of PHI for any required task.
 The Privacy Rule sets limits and conditions on the
uses and disclosures of PHI without patient
authorization.
 Patients have the right to oversee their health
information, which includes examining and
obtaining a copy of their medical records and
request corrections.

4. Personal Health
Information
 The Privacy Rule protects a patient’s health
information and any identifying information in any
format such as files, email, video, audio, or verbal
communication.
 Personal health information is considered:
 Birth, death or treatment dates
 Telephone numbers, addresses and other
contact information
 Social security numbers
 Medical records numbers
 Photographs
 Any other identifying number or account
number

5. Breach of Confidentiality
Notification
 Notify patients who are affected by the
breach.
 For more than 500: Notify the Secretary of
HHS no later than 60 days from discovery
of breach.
 For less than 500: Notify the Secretary of
HHS within 60 days of the end of the
calendar year.

6. Compliance and
Enforcement
 Office of Civil Rights (OCR) investigates
filed complaints
 OCR conducts compliance reviews to
determine if organization is in compliance
 OCR performs education and outreaches
to ensure organization’s compliance with
Rules requirement
 OCR works with the Department of Justice
(DOJ) to refer possible criminal violations
of HIPAA.

7. Compliance
 Put in place administrative
procedures, policies, and practices
to ensure that access to and the use
of PHI is regulated.
 Include physical security for
protection of all data and
documents containing PHI
 Include technical security for
prevention of any breaches of PHI
 Educate staff on HIPAA privacy rules

8. References
 Fox News. (2008). Report Over 120 UCLA
hospital staff saw celebrity health
records (Links to an external site.)Links to
an external site.. Retrieved
from https://www.foxnews.com/story/re
port-over-120-ucla-hospital-staff-saw-
celebrity-health-records
 Health & Human Services. (2015). The
HIPAA Privacy Rule. Retrieved from:
https://www.hhs.gov/hipaa/for-
professionals/privacy/index.html